Skip to content

Commit 6483f70

Browse files
DarshitChanpuraDarshitChanpura
committed
Adds ml-model-group resource sharing doc
Signed-off-by: Darshit Chanpura <[email protected]>
1 parent c749b9b commit 6483f70

File tree

1 file changed

+66
-0
lines changed

1 file changed

+66
-0
lines changed

_ml-commons-plugin/model-sharing-access-control.md

Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,66 @@
1+
---
2+
layout: default
3+
title: Model-group access control
4+
parent: Integrating ML models
5+
has_children: false
6+
nav_order: 15
7+
---
8+
9+
# ML model group access control
10+
11+
**Status:** Experimental
12+
**Replaces:** `plugins.ml_commons.model_access_control_enabled` (on deprecation path; see note below)
13+
{: .warning }
14+
15+
This page explains how **ML Commons** integrates with the Security plugin’s **Resource Sharing and Access Control** framework to provide **document-level** authorization for **ML model groups**.
16+
17+
> For the end-to-end framework concepts and APIs, see [Resource Sharing and Access Control]({{site.url}}{{site.baseurl}}/security/access-control/resources/)
18+
{: .note}
19+
20+
---
21+
22+
## Onboarding
23+
24+
- **Resource type:** `ml-model-group`
25+
- **System index:** `.plugins-ml-model-group`
26+
- **Onboarded in:** 3.3
27+
28+
When resource-level authorization is enabled for this type, each model group’s visibility is governed by a central sharing record. Owners and users with share capability can grant or revoke access for specific **users**, **roles**, or **backend roles**.
29+
30+
Model-groups control access to models.
31+
{: .note } green
32+
33+
---
34+
35+
## ML model group access levels
36+
37+
ML-commons exposes **three access levels** for granting access to a ml-model-group:
38+
39+
### 1. ml_read_only
40+
This read-only access level grants a read and search only access to the shared model-group.
41+
42+
Following actions are allowed with this access-level:
43+
```yaml
44+
- "cluster:admin/opensearch/ml/model_groups/get"
45+
- "cluster:admin/opensearch/ml/models/get"
46+
```
47+
48+
### 2. ml_read_write
49+
This read-write access level grants full access to a ml-model-group except share.
50+
51+
Following actions are allowed with this access level:
52+
```yaml
53+
- "cluster:admin/opensearch/ml/*"
54+
```
55+
56+
### 3. ml_full_access
57+
This access level grants complete access to a ml-model-group and will allow shared user owner-like permission.
58+
59+
Following actions are allowed with this access level:
60+
```yaml
61+
- "cluster:admin/opensearch/ml/*"
62+
- "cluster:admin/security/resource/share"
63+
```
64+
---
65+
66+
> These access-levels are non-configurable. If you would like to add more access-levels please file an issue on [the GitHub repo](https://github.com/opensearch-project/ml-commons/).

0 commit comments

Comments
 (0)